I've been a LastPass Premium user for a couple of years, and I've really enjoyed it. It's a good product, very user-friendly, and the apps are well-done. I've been wanting to switch to another password manager for a while, due to security concerns. Plenty of compromised cloud companies out there, and LastPass might as well be next.

Over the last few days, lastpass has been down, or running a suboptimal service for many users, including myself, and since my last attempt at renewing my LastPass Premium subscription was declined by my bank for some reason, I figured now was as good a time as any, to make a move to something else.

I've dabbled a bit with Master Password App, which is a stateless password manager. I really like the idea, but then what do I do with all the logins and secure notes I already have stored in my lastpass vault? I don't see a simple way of storing those in Master Password. My alternative then was down to a stateful password manager, and here's where KeePass comes in. KeePass is an open-source password manager from the 00s. Initially for Windows, but ported to a staggering variety of platforms, most likely including the one you are reading this on. It saves its content in an encrypted database, which you can then stick on a server, and get access to it through as many apps as you like.

Getting your vault out of LastPass

I wanted to export my Lastpass vault, and import it into some form of Keepass port. Here are the steps I followed:

Logged into Lastpass on the web, clicked on "More options" and selected "Export"

Saving the resulting page doesn't help you at all, so you have to select the content of your now unencrypted lastpass vault, and paste it into a text file (any empty document in an editor will do)

Save that text file and give it the extension .csv

Getting your vault into KeePass

The next step was to get my LastPass csv-vault into a KeePass database format. It turned out finding an app that supports direct import of plain csv-files was not so easy (most required XML files), but in the end I managed to find one called KeePassXC which accepts csv-files. Handy. Alternatively, if you can't find one that will import csv-files on your platform, you can use lastpass2keepass.py to convert the .csv-file to XML, which will then hopefully work for you.

Once imported, you will have a kdbx-file, which is the encrypted KeePass database, and somewhere along the process you have to create a password for the database-file. Think of it as your master password from LastPass, the one password that gives you access to your vault. Need help picking a good password?

Putting your file where all your apps can access it

Obviously you can keep the file on your local device, being laptop or phone or wherever you'd like it to be, but the real value from password managers are when they are available to you whenever you need them, which means to stick them somewhere on the internet. The benefit of Keepass is that you can stick it on a bunch of different services. Dropbox and Google Drive seems to be the most commonly used, but if you have one, you can also host the database file on your own server, and access it via sftp. You simply upload the database file to a place on your server, and it's then dependent on the app you use, if it supports sftp.

Mobile and web apps and Chrome browser extension

I'm mainly an Android and ChromeOS user, and for Android there's a number of options. I ended up going with KeePass2Android Password, and that does the job for me. If you need access to the file from a computer that is not your own, you can use KeeWeb, and point that to where your file lives (easiest if you have it on Dropbox or Google Drive).

For Chrome (and thus ChromeOS), there's an extension called CKP - which provides you with readonly KeePass password database integration for Chrome. You simply point it to your file, type in your master password, and you are away.

I was thinking about this after reading you post - the idea of being in charge of your own database of passwords is good, but it has a minor flaw for me, which is that it doesn’t solve the ‘hard reset’ problem.

I’ve lost devices in random parts of the world, and have been able to just pick up a new one and start from scratch because all my passwords are with my secure provider of choice (in my case, Dashlane). If I manage them manually, or have them in Dropbox/Drive, then I’d have to remember my DB (or worse, Google) password in addition to the master key, which kinda defeats the purpose. Do you memorise both? or are you ok with having to go back home to restart?

I think it’s probably ok to have to remember two passwords, but it could lead down a slippery slope, so I rather have everything in one place.

I've used KeePass for some years now. Very happy with it. I'm using a composite key (RSA private key file plus a passphrase) which gives me a better feeling in my tummy at a slight cost in convenience. KeePassDroid has been okay for Android but I think I'll give that KP2APwd thingy a whirl.

I'm still a LastPass user, but Chrome's keystore seems to be winning me over. Autofill on Android is a big plus. Not to mention my faith in Google's security and pii stewardship (but that could be the koolaide talking).

I opted for remembering two passwords, although that makes me the weakest link in the situation. If you store the database somewhere off your device, which you should, you will have the problem of having to remember 2 passwords.

It's true that you do lose the convenience of having it all in one place, but you also gain the security of not having to worry about reading that $passwordmanager was compromised and all user data and passwords were siphoned off by evil 1337 haX0rz.

A further benefit of using KeePass is, that nothing but the encrypted database is sent over the network when you use it. Once you've pointed your client at the database, it's downloaded, and your password is verified against the database, and is not transmitted anywhere. Any changes you make to the database is submitted to the file first, and then the entire encrypted database is synced. There has been some worries about closed source password managers transmitting your master password unencrypted over the internet. KeePass I believe, doesn't have this vulnerability.

I'm also tempted by the keystore in Chrome it really is super convenient. That however, locks me into using Chrome forever, and I'm trying to get less dependent on commercial companies having control of my passwords.

I do have faith in Google's security on that front as well, but I would still prefer not having my passwords maintained solely by a company, and mainly by myself (: